10 Security Check-up Basics

I’ve worked with a number of clients regarding their Dealer Management Systems (DMS) and I’m surprised at what I find at times. I’m even shocked at times at the level of access given to employees who have absolutely no need for the level of access they’ve been given.

DMS security is not always as simple as your DMS providers would like for you to believe because to get the level of control most clients want there has to be a lot of options. The wrong combination of those options can have unintended consequences ranging from inhibiting job productivity (when they have too little access to do their job) to data risk (when too much access is given). Let’s look at some basic DMS security principles.

1. Not everyone is required to see the same options. Just because you have 5 or 10 modules (service, parts, business office, etc) doesn’t mean everyone needs to see them. Most DMS systems allow you to control exactly what options appear on a user’s screen. So, for example, a parts manager might need access to parts, service and customer management, but if they have no business being in the general ledger why even have that option appear on their screen?

2. Everyone doesn’t need to be a security officer or top-level admin. This level of access should be restricted to top-level executives and a select few who have been trained to set up new hires properly. You should have at least two security officers in every store.

3. Make sure the security rights are revoked upon termination. Seems simple but often gets overlooked.

4. If you DMS has the ability to set up predefined roles, use them. A service writer role with all the appropriate security settings will save you valuable time in setting up new hires and assures you that the same security rights have been provided for individuals performing the same duties.

5. Give rights only in the module needed. Some systems allow users to access the same functions from different modules. Provide access to the appropriate module only.

6. Start security at the most restrictive level, it’s easier to add additional security rights if it’s proven to be necessary than it is to remove security access. Once given, users develop a pattern of doing things that may not be the proper or most efficient way of doing things, it’s difficult to change.

7. Make sure the ability to change settings in your system is highly restricted. The ability to change preferences and system set up that work behind the scenes should be restricted to trained and trusted individuals. Someone with good intentions making a change as simple as selecting a

different finance reserve method that is wrong on a single lender can have a ripple effect all the way through to your financial statement.

8. Set up a dummy user account in your system. Then you can change security rights on the dummy user to test any combinations of security rights. If you then log in as that user you can see exactly what the user would see and tweak settings to fit their position. I had a client several months ago absolutely taken aback by the level of access his team members had been given. I set the dummy account up for him to see exactly what the majority of his staff was seeing, without him having to get their individual passwords and logging in.

9. Closely check access to customer private information, credit bureaus, and social security numbers as these should not be available to everyone in the store. It is a significant data risk.

10. Conduct a regular review (at least once every six months) of your user security. Job duties and functions change, and employees are given more security rights, without removing the rights they no longer need.

Now you have my top 10 security basics, what does your security check reveal?